Amazon SQS provides multiple layers of security to protect messages in transit and at rest. Data moving between producers, consumers, and the SQS service is encrypted in-flight using HTTPS, ensuring protection from interception. Messages stored in the queue can be encrypted at rest using AWS KMS keys, with full control over key management and audit trails. For use cases requiring custom protection, client-side encryption can be applied, where the producer encrypts data before sending and the consumer decrypts it upon receipt.
Access control is enforced through IAM policies, which define who can call the SQS API, and through SQS access policies—similar to S3 bucket policies—that enable cross-account permissions or allow other AWS services, such as SNS or S3, to send messages directly to the queue.